From 0addbba742ef5470e911d391eb738e9da79ce7b7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 1 Aug 2022 14:43:21 +0200 Subject: [PATCH 1/3] Update DISA RHEL8 STIG manual benchmark to V1R7 --- ... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++++++++-------- 1 file changed, 233 insertions(+), 204 deletions(-) rename shared/references/{disa-stig-rhel8-v1r6-xccdf-manual.xml => disa-stig-rhel8-v1r7-xccdf-manual.xml} (96%) diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml similarity index 96% rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml index 849ab06f66d..a02819d3002 100644 --- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. @@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf localpkg_gpgcheck =True -If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. @@ -867,7 +867,7 @@ kernel.kexec_load_disabled = 1 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: +$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: Check the status of the kernel.kexec_load_disabled kernel parameter. @@ -885,7 +885,7 @@ $ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sy If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -907,7 +907,7 @@ fs.protected_symlinks = 1 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: +$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: Check the status of the fs.protected_symlinks kernel parameter. @@ -925,7 +925,7 @@ $ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl. If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. @@ -947,7 +947,7 @@ fs.protected_hardlinks = 1 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: +$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: Check the status of the fs.protected_hardlinks kernel parameter. @@ -965,7 +965,7 @@ $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -987,7 +987,7 @@ kernel.dmesg_restrict = 1 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: +$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: Check the status of the kernel.dmesg_restrict kernel parameter. @@ -1005,7 +1005,7 @@ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl. If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -1027,7 +1027,7 @@ kernel.perf_event_paranoid = 2 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: +$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: Check the status of the kernel.perf_event_paranoid kernel parameter. @@ -1045,15 +1045,25 @@ $ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sy If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +If conflicting results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Configure the operating system to require users to supply a password for privilege escalation. + +Check the configuration of the "/etc/sudoers" file with the following command: +$ sudo visudo + +Remove any occurrences of "NOPASSWD" tags in the file. + +Check the configuration of the /etc/sudoers.d/* files with the following command: +$ sudo grep -ir nopasswd /etc/sudoers.d + +Remove any occurrences of "NOPASSWD" tags in the file.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: -$ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* +$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d %admin ALL=(ALL) NOPASSWD: ALL @@ -1222,7 +1232,7 @@ $ sudo grep slub_debug /etc/default/grub GRUB_CMDLINE_LINUX="slub_debug=P" -If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. +If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. @@ -1240,7 +1250,7 @@ kernel.randomize_va_space=2 Issue the following command to make the changes take effect: -$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: +$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: $ sudo sysctl kernel.randomize_va_space @@ -1256,7 +1266,7 @@ $ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sys If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. +If conflicting results are returned, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file: @@ -1590,7 +1600,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS) If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). -If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -1606,7 +1616,7 @@ kernel.core_pattern = |/bin/false The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: +$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: $ sudo sysctl kernel.core_pattern @@ -1622,24 +1632,26 @@ $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/ If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. - -When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following command: - -$ sudo systemctl mask systemd-coredump.socket - -Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null - -Reload the daemon for this change to take effect. - -$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + +A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. + +When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following commands: + +$ sudo systemctl disable --now systemd-coredump.socket + +$ sudo systemctl mask systemd-coredump.socket + +Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null + +Reload the daemon for this change to take effect. + +$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: $ sudo systemctl status systemd-coredump.socket systemd-coredump.socket -Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) Active: inactive (dead) If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010673RHEL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -2347,40 +2359,40 @@ $ sudo grep -i lock-command /etc/tmux.conf set -g lock-command vlock -If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. -Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. +Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -If [ "$PS1" ]; then +if [ "$PS1" ]; then +parent=$(ps -o ppid= -p $$) +name=$(ps -o comm= -p $parent) +case "$name" in (sshd|login) exec tmux ;; esac +fi + +This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: + +Determine if tmux is currently running: +$ sudo ps all | grep tmux | grep -v grep + +If the command does not produce output, this is a finding. + +Determine the location of the tmux script: +$ sudo grep -r tmux /etc/bashrc /etc/profile.d + +/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac + +Review the tmux script by using the following example: +$ sudo cat /etc/profile.d/tmux.sh +if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) exec tmux ;; esac fi -This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: - -Determine if tmux is currently running: -$ sudo ps all | grep tmux | grep -v grep - -If the command does not produce output, this is a finding. - -Determine the location of the tmux script: -$ sudo grep tmux /etc/bashrc/etc/profile.d/* - -/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac - -Review the tmux script by using the following example: -$ sudo cat /etc/profile.d/tmux.sh -If [ "$PS1" ]; then -parent=$(ps -o ppid= -p $$) -name=$(ps -o comm= -p $parent) -case "$name" in (sshd|login) exec tmux ;; esac -fi - If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020042RHEL 8 must prevent users from disabling session control mechanisms.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. @@ -2540,7 +2552,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality password required pam_pwquality.so -If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2548,13 +2560,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): -ucredit = -1Verify the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: +ucredit = -1Verify the value for "ucredit" with the following command: -$ sudo grep ucredit /etc/security/pwquality.conf +$ sudo grep -r ucredit /etc/security/pwquality.conf* -ucredit = -1 +/etc/security/pwquality.conf:ucredit = -1 -If the value of "ucredit" is a positive number or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "ucredit" is a positive number or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2562,13 +2575,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): -lcredit = -1Verify the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: +lcredit = -1Verify the value for "lcredit" with the following command: -$ sudo grep lcredit /etc/security/pwquality.conf +$ sudo grep -r lcredit /etc/security/pwquality.conf* -lcredit = -1 +/etc/security/pwquality.conf:lcredit = -1 -If the value of "lcredit" is a positive number or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "lcredit" is a positive number or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2576,13 +2590,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): -dcredit = -1Verify the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: +dcredit = -1Verify the value for "dcredit" with the following command: -$ sudo grep dcredit /etc/security/pwquality.conf +$ sudo grep -r dcredit /etc/security/pwquality.conf* -dcredit = -1 +/etc/security/pwquality.conf:dcredit = -1 -If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "dcredit" is a positive number or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2590,13 +2605,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): -maxclassrepeat = 4Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: +maxclassrepeat = 4Check for the value of the "maxclassrepeat" option with the following command: -$ sudo grep maxclassrepeat /etc/security/pwquality.conf +$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf* -maxclassrepeat = 4 +/etc/security/pwquality.conf:maxclassrepeat = 4 -If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2604,13 +2620,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): -maxrepeat = 3Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: +maxrepeat = 3Check for the value of the "maxrepeat" option with the following command: -$ sudo grep maxrepeat /etc/security/pwquality.conf +$ sudo grep -r maxrepeat /etc/security/pwquality.conf* -maxrepeat = 3 +/etc/security/pwquality.conf:maxrepeat = 3 -If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2618,12 +2635,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): -minclass = 4Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: +minclass = 4Verify the value of the "minclass" option with the following command: + +$ sudo grep -r minclass /etc/security/pwquality.conf* -$ sudo grep minclass /etc/security/pwquality.conf -minclass = 4 +/etc/security/pwquality.conf:minclass = 4 -If the value of "minclass" is set to less than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "minclass" is set to less than "4" or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2631,13 +2650,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): -difok = 8Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: +difok = 8Verify the value of the "difok" option with the following command: -$ sudo grep difok /etc/security/pwquality.conf +$ sudo grep -r difok /etc/security/pwquality.conf* -difok = 8 +/etc/security/pwquality.conf:difok = 8 -If the value of "difok" is set to less than "8" or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: +If the value of "difok" is set to less than "8" or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: $ sudo chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater. @@ -2689,7 +2709,7 @@ $ sudo grep -i remember /etc/pam.d/password-auth password required pam_pwhistory.so use_authtok remember=5 retry=3 -If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. +If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. @@ -2701,14 +2721,16 @@ The DoD minimum password requirement is 15 characters.</VulnDiscussion>< Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): -minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. +minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. -Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: +Check for the value of the "minlen" option with the following command: -$ sudo grep minlen /etc/security/pwquality.conf -minlen = 15 +$ sudo grep -r minlen /etc/security/pwquality.conf* -If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. +/etc/security/pwquality.conf:minlen = 15 + +If the command does not return a "minlen" value of 15 or greater, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. @@ -2804,7 +2826,7 @@ For every existing emergency account, run the following command to obtain its ac $ sudo chage -l system_account_name Verify each of these accounts has an expiration date set within 72 hours. -If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. @@ -2812,13 +2834,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): -ocredit = -1Verify the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: +ocredit = -1Verify the value for "ocredit" with the following command: -$ sudo grep ocredit /etc/security/pwquality.conf +$ sudo grep -r ocredit /etc/security/pwquality.conf* -ocredit = -1 +/etc/security/pwquality.conf:ocredit = -1 -If the value of "ocredit" is a positive number or is commented out, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. +If the value of "ocredit" is a positive number or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002007Configure the SSSD to prohibit the use of cached authentications after one day. @@ -2842,19 +2865,20 @@ $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf offline_credentials_expiration = 1 -If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. +If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: -dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. +dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. -Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: +Determine if the field "dictcheck" is set with the following command: -$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf +$ sudo grep -r dictcheck /etc/security/pwquality.conf* -dictcheck=1 +/etc/security/pwquality.conf:dictcheck=1 -If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. +If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. @@ -4281,7 +4305,7 @@ root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules -If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. +If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. @@ -4296,13 +4320,13 @@ To address this risk, audit tools must be cryptographically signed to provide th /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. +/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. Check the selection lines to ensure AIDE is configured to add/check with the following command: -$ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf +$ sudo egrep '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -4312,7 +4336,7 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. +If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001849Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. @@ -4951,17 +4975,25 @@ p2p-dev-wlp7s0 wifi-p2p disconnected -- lo loopback unmanaged -- virbr0-nic tun unmanaged -- -If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. +If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. -Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: install bluetooth /bin/true -Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. +Disable the ability to use the Bluetooth kernel module. + +$ sudo vi /etc/modprobe.d/blacklist.conf + +Add or update the line: + +blacklist bluetooth + +Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. @@ -4971,7 +5003,15 @@ $ sudo grep bluetooth /etc/modprobe.d/* /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/true -If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. +If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding. + +Verify the operating system disables the ability to use Bluetooth with the following command: + +$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" + +blacklist bluetooth + +If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. @@ -5361,15 +5401,17 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config RekeyLimit 1G 1h -If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: - -$ sudo systemctl mask ctrl-alt-del.target - -Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null - -Reload the daemon for this change to take effect. - -$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: +If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: + +$ sudo systemctl disable ctrl-alt-del.target + +$ sudo systemctl mask ctrl-alt-del.target + +Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null + +Reload the daemon for this change to take effect. + +$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: $ sudo systemctl status ctrl-alt-del.target @@ -5438,7 +5480,7 @@ If the account is associated with system commands or applications, the UID shoul $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd -If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5454,7 +5496,7 @@ net.ipv6.conf.default.accept_redirects = 0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. +$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. @@ -5474,7 +5516,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. @@ -5492,9 +5534,7 @@ net.ipv4.conf.all.send_redirects=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. Check the value of the "all send_redirects" variables with the following command: @@ -5512,7 +5552,7 @@ $ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/ If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. @@ -5529,9 +5569,7 @@ net.ipv4.icmp_echo_ignore_broadcasts=1 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: @@ -5549,7 +5587,7 @@ $ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/lo If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5565,7 +5603,7 @@ net.ipv6.conf.all.accept_source_route=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. +$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. @@ -5585,7 +5623,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5601,7 +5639,7 @@ net.ipv6.conf.default.accept_source_route=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. +$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. @@ -5621,7 +5659,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /u If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5637,7 +5675,7 @@ net.ipv6.conf.all.forwarding=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. +$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. @@ -5657,7 +5695,7 @@ $ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. @@ -5675,7 +5713,7 @@ net.ipv6.conf.all.accept_ra=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. +$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is not applicable. @@ -5695,7 +5733,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/s If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. @@ -5713,7 +5751,7 @@ net.ipv6.conf.default.accept_ra=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. +$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is not applicable. @@ -5733,7 +5771,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/l If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. @@ -5751,9 +5789,7 @@ net.ipv4.conf.default.send_redirects = 0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. Check the value of the "default send_redirects" variables with the following command: @@ -5771,7 +5807,7 @@ $ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/lo If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5787,7 +5823,7 @@ net.ipv6.conf.all.accept_redirects = 0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. +$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. @@ -5807,7 +5843,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5821,7 +5857,7 @@ kernel.unprivileged_bpf_disabled = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: +$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: $ sudo sysctl kernel.unprivileged_bpf_disabled @@ -5837,7 +5873,7 @@ $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/ If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5851,7 +5887,7 @@ kernel.yama.ptrace_scope = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: +$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: $ sudo sysctl kernel.yama.ptrace_scope @@ -5867,7 +5903,7 @@ $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysc If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5881,13 +5917,13 @@ kernel.kptr_restrict = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: +$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 -If the returned line does not have a value of "1", or a line is not returned, this is a finding. +If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. @@ -5895,9 +5931,9 @@ $ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d /etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 -If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding. +If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5913,7 +5949,7 @@ user.max_user_namespaces = 0 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: +$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. @@ -5931,7 +5967,7 @@ $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysc If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -5945,13 +5981,13 @@ net.ipv4.conf.all.rp_filter = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: +$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: $ sudo sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 -If the returned line does not have a value of "1", or a line is not returned, this is a finding. +If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. @@ -5959,9 +5995,9 @@ $ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/s /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 -If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding. +If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. @@ -6155,23 +6191,22 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw -Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. +Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. -$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' +$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw -If no results are returned, this is a finding. -If results are returned from more than one file location, this is a finding. +If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -6181,12 +6216,12 @@ $ sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] -Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. +Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. -$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* +$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d /etc/sudoers:Defaults timestamp_timeout=0 -If results are returned from more than one file location, this is a finding. +If conflicting results are returned, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010049RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. @@ -6735,7 +6770,7 @@ $ sudo yum list installed openssh-server openssh-server.x86_64 8.0p1-5.el8 @anaconda -If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -6751,9 +6786,7 @@ net.ipv4.conf.default.accept_redirects = 0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. Check the value of the default "accept_redirects" variables with the following command: @@ -6771,7 +6804,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -6787,9 +6820,7 @@ net.ipv4.conf.all.accept_source_route=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. Check the value of the accept source route variable with the following command: @@ -6807,7 +6838,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -6823,9 +6854,7 @@ net.ipv4.conf.default.accept_source_route=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. Check the value of the accept source route variable with the following command: @@ -6843,7 +6872,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /u If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -6859,9 +6888,7 @@ net.ipv4.conf.all.accept_redirects = 0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. Check the value of the "accept_redirects" variables with the following command: @@ -6879,7 +6906,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. @@ -6895,7 +6922,7 @@ net.core.bpf_jit_harden = 2 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: -$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: +$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: $ sudo sysctl net.core.bpf_jit_harden @@ -6911,7 +6938,7 @@ $ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysct If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. +If conflicting results are returned, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. Procedure: Check that the following package has been installed: @@ -6985,7 +7012,7 @@ $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock -If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf @@ -7001,15 +7028,13 @@ net.ipv4.conf.all.forwarding=0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. - -Note: If IPv4 is disabled on the system, this requirement is Not Applicable. +$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. Check that IPv4 forwarding is disabled using the following command: -$ sudo sysctl net.ipv4.ip_forward +$ sudo sysctl net.ipv4.conf.all.forwarding -net.ipv4.ip_forward = 0 +net.ipv4.conf.all.forwarding = 0 If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. @@ -7020,7 +7045,7 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. -If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] @@ -7071,8 +7096,8 @@ aide-0.16-14.el8.x86_64 If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. -If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. - +If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. + It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. Edit the /etc/sudoers file with the following command: @@ -7080,7 +7105,9 @@ Edit the /etc/sudoers file with the following command: $ sudo visudo Add or modify the following line: -#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: +#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. + +Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: $ sudo grep include /etc/sudoers @@ -7090,7 +7117,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: -$ sudo grep include /etc/sudoers.d/* +$ sudo grep -r include /etc/sudoers.d If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. @@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality password required pam_pwquality.so retry=3 -If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. +If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth @@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): -retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. +retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option with the following command: -$ sudo grep retry /etc/security/pwquality.conf +$ sudo grep -r retry /etc/security/pwquality.conf* -retry = 3 +/etc/security/pwquality.conf:retry = 3 If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. +If conflicting results are returned, this is a finding. + Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: $ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth From feea7690b848d68c150712c841c74703b70e1a02 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 1 Aug 2022 14:46:19 +0200 Subject: [PATCH 2/3] Update DISA STIG RHEL8 SCAP content to V1R6 The V1R6 SCAP content is aligned with the V1R7 manual benchmark. --- ...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++-------- 1 file changed, 539 insertions(+), 406 deletions(-) rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%) diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml similarity index 96% rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml index 1bd2fb7b659..e87b16eb377 100644 --- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml @@ -1,36 +1,36 @@ - - + + - + - + - + - + - - + + - + Red Hat Enterprise Linux 8 - oval:mil.disa.stig.rhel8:def:1 + oval:mil.disa.stig.rhel8:def:1 - + - accepted + accepted Red Hat Enterprise Linux 8 Security Technical Implementation Guide This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. @@ -40,11 +40,11 @@ DISA STIG.DOD.MIL - Release: 1.5 Benchmark Date: 27 Apr 2022 + Release: 1.6 Benchmark Date: 27 Jul 2022 3.3.0.27375 1.10.0 - 001.005 + 001.006 DISA DISA @@ -2189,15 +2189,15 @@ - - - - - - + + + + + + - + @@ -2217,7 +2217,7 @@ - + @@ -2237,26 +2237,26 @@ - + - - - - - - - + + + + + + + - + - - + + @@ -2337,7 +2337,7 @@ - + @@ -2355,21 +2355,21 @@ - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + @@ -2379,9 +2379,9 @@ - - - + + + SRG-OS-000480-GPOS-00227 @@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L Upgrade to a supported version of RHEL 8. - + @@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable Reboot the system for the changes to take effect. - + @@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M ENCRYPT_METHOD SHA512 - + @@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - + @@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ SHA_CRYPT_MIN_ROUNDS 5000 - + @@ -2549,7 +2549,7 @@ Enter password: Confirm password: - + @@ -2577,7 +2577,7 @@ Enter password: Confirm password: - + @@ -2601,7 +2601,7 @@ Confirm password: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - + @@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include password sufficient pam_unix.so sha512 - + @@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access Remove any files with the .keytab extension from the operating system. - + @@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-workstation - + @@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o $ sudo yum install policycoreutils - + @@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service - + @@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0640 /var/log/messages - + @@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log/messages - + @@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log/messages - + @@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0755 /var/log - + @@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log - + @@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log - + @@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 The SSH service must be restarted for changes to take effect. - + @@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 A reboot is required for the changes to take effect. - + @@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod $ sudo chmod 755 [FILE] - + @@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o $ sudo chown root [FILE] - + @@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g $ sudo chgrp root [FILE] - + @@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i gpgcheck=1 - + @@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: localpkg_gpgcheck=True - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - + RHEL-08-010372 RHEL 8 must prevent the loading of a new kernel for later execution. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - + RHEL-08-010373 RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. @@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - + RHEL-08-010374 RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. @@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + RHEL-08-010375 RHEL 8 must restrict access to the kernel message buffer. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + RHEL-08-010376 RHEL 8 must prevent kernel profiling by unprivileged users. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000373-GPOS-00156 <GroupDescription></GroupDescription> - + RHEL-08-010380 RHEL 8 must require users to provide a password for privilege escalation. <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. @@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO 2921 CCI-002038 - Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + Configure the operating system to require users to supply a password for privilege escalation. + +Check the configuration of the "/etc/sudoers" file with the following command: +$ sudo visudo + +Remove any occurrences of "NOPASSWD" tags in the file. + +Check the configuration of the /etc/sudoers.d/* files with the following command: +$ sudo grep -ir nopasswd /etc/sudoers.d + +Remove any occurrences of "NOPASSWD" tags in the file. + - + @@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - + @@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi $ sudo yum install openssl-pkcs11 - + SRG-OS-000433-GPOS-00193 <GroupDescription></GroupDescription> - + RHEL-08-010430 RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. @@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect: $ sudo sysctl --system - + @@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con clean_requirements_on_remove=True - + @@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted A reboot is required for the changes to take effect. - + @@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect. $ sudo rm /etc/ssh/shosts.equiv - + @@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv $ sudo rm /[path]/[to]/[file]/.shosts - + @@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3673,7 +3683,7 @@ Compression no The SSH service must be restarted for changes to take effect. - + @@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service Migrate the "/var" path onto a separate file system. - + @@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service Migrate the "/var/log" path onto a separate file system. - + @@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service Migrate the system audit data path onto a separate file system. - + @@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service Migrate the "/tmp" directory onto a separate file system/partition. - + @@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service $ sudo systemctl enable rsyslog.service - + @@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - + @@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - + @@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - + @@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - + @@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010671 RHEL 8 must disable the kernel.core_pattern. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard core 0 - + @@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: Storage=none - + @@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0 - + @@ -4135,7 +4145,7 @@ ProcessSizeMax=0 CREATE_HOME yes - + @@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: deny = 3 - + @@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: fail_interval = 900 - + @@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: unlock_time = 0 - + @@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: silent - + @@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: audit - + @@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: even_deny_root - + @@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard maxlogins 10 - + @@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: set -g lock-command vlock - + SRG-OS-000028-GPOS-00009 <GroupDescription></GroupDescription> - + RHEL-08-020041 RHEL 8 must ensure session control is automatically started at shell initialization. <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. -Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. +Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion 2921 CCI-000056 - Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: + Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -If [ "$PS1" ]; then +if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) exec tmux ;; esac fi This setting will take effect at next logon. - + - + @@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. - + @@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin password required pam_pwquality.so - + SRG-OS-000069-GPOS-00037 <GroupDescription></GroupDescription> - + RHEL-08-020110 RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha ucredit = -1 - + SRG-OS-000070-GPOS-00038 <GroupDescription></GroupDescription> - + RHEL-08-020120 RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha lcredit = -1 - + SRG-OS-000071-GPOS-00039 <GroupDescription></GroupDescription> - + RHEL-08-020130 RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha dcredit = -1 - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - + RHEL-08-020140 RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin maxclassrepeat = 4 - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - + RHEL-08-020150 RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin maxrepeat = 3 - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - + RHEL-08-020160 RHEL 8 must require the change of at least four character classes when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin minclass = 4 - + SRG-OS-000072-GPOS-00040 <GroupDescription></GroupDescription> - + RHEL-08-020170 RHEL 8 must require the change of at least 8 characters when passwords are changed. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to difok = 8 - + @@ -4977,7 +4987,7 @@ difok = 8 $ sudo chage -m 1 [user] - + @@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1 - + @@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60 - + @@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60 $ sudo chage -M 60 [user] - + @@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have password required pam_pwhistory.so use_authtok remember=5 retry=3 - + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - + RHEL-08-020230 RHEL 8 passwords must have a minimum of 15 characters. <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. @@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to minlen = 15 - + @@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_LEN 15 - + @@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - + SRG-OS-000266-GPOS-00101 <GroupDescription></GroupDescription> - + RHEL-08-020280 All RHEL 8 passwords must contain at least one special character. <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha ocredit = -1 - + SRG-OS-000480-GPOS-00225 <GroupDescription></GroupDescription> - + RHEL-08-020300 RHEL 8 must prevent the use of dictionary words for passwords. <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a dictcheck=1 - + @@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr FAIL_DELAY 4 - + @@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the $ sudo systemctl restart sshd.service - + @@ -5319,7 +5329,7 @@ PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect. - + @@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 UMASK 077 - + @@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules The audit daemon must be restarted for the changes to take effect. - + @@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator action_mail_acct = root - + @@ -5441,7 +5451,7 @@ disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - + @@ -5475,7 +5485,7 @@ disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - + @@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: local_events = yes - + @@ -5535,7 +5545,7 @@ name_format = hostname The audit daemon must be restarted for changes to take effect. - + @@ -5565,7 +5575,7 @@ log_format = ENRICHED The audit daemon must be restarted for changes to take effect. - + @@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO log_group = root - + @@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - + @@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO log_group = root - + @@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + @@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - + @@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - + @@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - + @@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO --loginuid-immutable - + @@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t $ sudo yum install audit - + @@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf - + @@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - + @@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root". - + @@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root". - + @@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog - + @@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul $ sudo yum install rsyslog-gnutls - + @@ -7471,7 +7481,7 @@ overflow_action = syslog The audit daemon must be restarted for changes to take effect. - + @@ -7497,7 +7507,7 @@ space_left = 25% Note: Option names and values in the auditd.conf file are case insensitive. - + @@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc port 0 - + @@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc cmdport 0 - + @@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass $ sudo yum remove telnet-server - + @@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove abrt* - + @@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities. $ sudo yum remove sendmail - + @@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion $ sudo yum remove rsh-server - + @@ -7716,7 +7726,7 @@ blacklist atm Reboot the system for the settings to take effect. - + @@ -7749,7 +7759,7 @@ blacklist can Reboot the system for the settings to take effect. - + @@ -7782,7 +7792,7 @@ blacklist sctp Reboot the system for the settings to take effect. - + @@ -7815,7 +7825,7 @@ blacklist tipc Reboot the system for the settings to take effect. - + @@ -7848,7 +7858,7 @@ blacklist cramfs Reboot the system for the settings to take effect. - + @@ -7879,7 +7889,7 @@ blacklist firewire-core Reboot the system for the settings to take effect. - + @@ -7910,14 +7920,14 @@ blacklist usb-storage Reboot the system for the settings to take effect. - + SRG-OS-000300-GPOS-00118 <GroupDescription></GroupDescription> - + RHEL-08-040111 RHEL 8 Bluetooth must be disabled. <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. @@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per 2921 CCI-001443 - Configure the operating system to disable the Bluetooth adapter when not in use. + Configure the operating system to disable the Bluetooth adapter when not in use. Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: install bluetooth /bin/true +Disable the ability to use the Bluetooth kernel module. + +$ sudo vi /etc/modprobe.d/blacklist.conf + +Add or update the line: + +blacklist bluetooth + Reboot the system for the settings to take effect. - + - + @@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - + @@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ sudo systemctl enable sshd.service - + @@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service - + @@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + @@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload $ sudo yum remove tftp-server - + @@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040210 RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040220 RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. @@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040230 RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. @@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040240 RHEL 8 must not forward IPv6 source-routed packets. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. @@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040250 RHEL 8 must not forward IPv6 source-routed packets by default. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. @@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040260 RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040261 RHEL 8 must not accept router advertisements on all IPv6 interfaces. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040262 RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. @@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040270 RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. @@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040280 RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. @@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command: $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040281 RHEL 8 must disable access to network bpf syscall from unprivileged processes. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040282 RHEL 8 must restrict usage of ptrace to descendant processes. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040283 RHEL 8 must restrict exposed kernel pointer addresses access. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040284 RHEL 8 must disable the use of user namespaces. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040285 RHEL 8 must use reverse path filtering on all IPv4 interfaces. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9125,7 +9143,7 @@ $ sudo sysctl --system $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - + @@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd - + @@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us X11UseLocalhost yes - + @@ -9207,7 +9225,7 @@ X11UseLocalhost yes server_args = -s /var/lib/tftpboot - + @@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot $ sudo yum remove vsftpd - + @@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose $ sudo yum remove gssproxy - + @@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI $ sudo yum remove iprutils - + @@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. $ sudo yum remove tuned - + @@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access $ sudo yum remove krb5-server - + @@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-010383 RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. @@ -9395,14 +9413,14 @@ Defaults !rootpw Defaults !runaspw - + SRG-OS-000373-GPOS-00156 <GroupDescription></GroupDescription> - + RHEL-08-010384 RHEL 8 must require re-authentication when using the "sudo" command. <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. @@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0". - + @@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". - + @@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-08-040286 RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec $ sudo sysctl --system - + @@ -9540,18 +9558,18 @@ Lock an account: $ sudo passwd -l [username] - + - + repotool 5.10 - 2022-03-28T12:45:12 + 2022-06-28T15:27:20 @@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - + - RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. + RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. Red Hat Enterprise Linux 8 If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. - + - @@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe - + RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. @@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per + @@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - + RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". @@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access For more information on each of the listed configurations, reference the sudoers(5) manual page. - + - + - + - + RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. @@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - - - + + @@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil - + @@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil - - + + - - + + - - + + - - + + @@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil - - + + @@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil - - + + @@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil - - - - - - + + @@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil + + + @@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil - + + - + + - + - + + - + + @@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil - + - + - + - + - + - + - - - - - - + + @@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil - + @@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil oval:mil.disa.stig.rhel8:obj:13602 - + + /etc/sudoers ^(?!#).*\s+NOPASSWD.*$ 1 - + + /etc/sudoers.d ^.*$ ^(?!#).*\s+NOPASSWD.*$ @@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b 1 - - /etc/security/pwquality.conf + + + /etc/security + ^pwquality\.conf.* ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ 1 - - /etc/security/pwquality.conf + + ^/etc/security/pwquality\.conf.* + ^.*$ + ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + + + + oval:mil.disa.stig.rhel8:obj:19700 + oval:mil.disa.stig.rhel8:obj:19701 + + + + /etc/security + ^pwquality\.conf.*$ ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ 1 + + ^/etc/security/pwquality\.conf.*$ + .* + ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + + + + oval:mil.disa.stig.rhel8:obj:19800 + oval:mil.disa.stig.rhel8:obj:19801 + + /etc/security/pwquality.conf ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ 1 - - /etc/security/pwquality.conf + + + /etc/security + ^pwquality\.conf.* ^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$ 1 - - /etc/security/pwquality.conf + + ^/etc/security/pwquality\.conf.* + ^.*$ + ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + + + + oval:mil.disa.stig.rhel8:obj:20000 + oval:mil.disa.stig.rhel8:obj:20001 + + + + /etc/security + ^pwquality\.conf.*$ ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ 1 + + ^/etc/security/pwquality\.conf.*$ + .* + ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + + + + oval:mil.disa.stig.rhel8:obj:20100 + oval:mil.disa.stig.rhel8:obj:20101 + + /etc/security/pwquality.conf ^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$ 1 - - /etc/security/pwquality.conf + + + /etc/security + ^pwquality\.conf.* ^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$ 1 + + ^/etc/security/pwquality\.conf.* + ^.*$ + ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + + + + oval:mil.disa.stig.rhel8:obj:20300 + oval:mil.disa.stig.rhel8:obj:20301 + + /etc/shadow ^root:[^:]*:[^:]*:0*: @@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b 1 - - /etc/security/pwquality.conf + + ^/etc/security/pwquality\.conf.*$ + .* ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ 1 + + /etc/security + ^pwquality\.conf + ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ + 1 + + + + oval:mil.disa.stig.rhel8:obj:20900 + oval:mil.disa.stig.rhel8:obj:20901 + + /etc/login.defs ^\s*PASS_MIN_LEN\s+(\d+)\s*$ @@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ 1 - - /etc/security/pwquality.conf + + + /etc/security + ^pwquality\.conf.* ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ 1 - - /etc/pwquality.conf.d/ - ^.*\.conf$ + + ^/etc/security/pwquality\.conf.* + ^.*$ ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ 1 + + + oval:mil.disa.stig.rhel8:obj:21400 + oval:mil.disa.stig.rhel8:obj:21401 + + /etc/login.defs ^\s*FAIL_DELAY\s+(\d+)\s*$ @@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$ 1 + + /etc/modprobe.d + .* + ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$ + 1 + /dev/shm @@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil ^\s*Defaults\s+\!runaspw\s*$ 1 - + + /etc/sudoers - ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ + ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ 1 - + + /etc/sudoers.d ^.*$ - ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ + ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ 1 + + + oval:mil.disa.stig.rhel8:obj:41600 + oval:mil.disa.stig.rhel8:obj:41601 + + /etc/pam.d/system-auth \bnullok\b @@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil 1 + + 2 + + + 2 + 0 0 + + 2 + + + 2 + ^(no|"no")$ @@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil - + repotool 5.10 - 2022-03-28T12:45:12 + 2022-06-28T15:27:20 From b2b2dbba78bb1e182ddfe9e90bd8a8ae5cf33187 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 1 Aug 2022 14:49:09 +0200 Subject: [PATCH 3/3] Update RHEL8 STIG to V1R7 --- products/rhel8/profiles/stig.profile | 4 ++-- products/rhel8/profiles/stig_gui.profile | 4 ++-- tests/data/profile_stability/rhel8/stig.profile | 4 ++-- tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 7adbfee5559..4b480bd2c11 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R6 + version: V1R7 SMEs: - mab879 - ggbecker @@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R6. + DISA STIG for Red Hat Enterprise Linux 8 V1R7. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index 665bc1e059d..fa8bc724a5d 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R6 + version: V1R7 SMEs: - mab879 - ggbecker @@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 2a16a82889a..4bee72830d0 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,7 +1,7 @@ title: DISA STIG for Red Hat Enterprise Linux 8 description: 'This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R6. + DISA STIG for Red Hat Enterprise Linux 8 V1R7 In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -23,7 +23,7 @@ description: 'This profile contains configuration checks that align to the - Red Hat Containers with a Red Hat Enterprise Linux 8 image' extends: null metadata: - version: V1R6 + version: V1R7 SMEs: - mab879 - ggbecker diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index e79776f8e90..ece32d06a6f 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,7 +1,7 @@ title: DISA STIG with GUI for Red Hat Enterprise Linux 8 description: 'This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -34,7 +34,7 @@ description: 'This profile contains configuration checks that align to the standard DISA STIG for Red Hat Enterprise Linux 8 profile.' extends: null metadata: - version: V1R6 + version: V1R7 SMEs: - mab879 - ggbecker